From 1a38ececbc4737bfb7996d4c0f879c9872e9930b Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 7 Feb 2015 06:19:26 +0000 Subject: Add tls_config_set_dheparams() to allow specification of the parameters to use for DHE. This enables the use of DHE cipher suites. Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it is only used to specify the curve for ephemeral ECDH. Discussed with reyk@ --- src/lib/libtls/tls_server.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src/lib/libtls/tls_server.c') diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index ac44f260ac..8d71d2790f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.3 2015/01/30 14:25:37 bluhm Exp $ */ +/* $OpenBSD: tls_server.c,v 1.4 2015/02/07 06:19:26 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -63,12 +63,17 @@ tls_configure_server(struct tls *ctx) if (tls_configure_keypair(ctx) != 0) goto err; - if (ctx->config->ecdhcurve == -1) { + if (ctx->config->dheparams == -1) + SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); + else if (ctx->config->dheparams == 1024) + SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2); + + if (ctx->config->ecdhecurve == -1) { SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); - } else if (ctx->config->ecdhcurve != NID_undef) { + } else if (ctx->config->ecdhecurve != NID_undef) { if ((ecdh_key = EC_KEY_new_by_curve_name( - ctx->config->ecdhcurve)) == NULL) { - tls_set_error(ctx, "failed to set ECDH curve"); + ctx->config->ecdhecurve)) == NULL) { + tls_set_error(ctx, "failed to set ECDHE curve"); goto err; } SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); -- cgit v1.2.3-55-g6feb